NSO Group Tools Used to Hack Journalist Omar Radi’s iPhone

· Andrew Orr · Link

Generic image displaying the word hacked.

An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.

Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.

The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.

Hacker Bribed Roblox Insider to Access Kids’ Data

· Andrew Orr · Link

Roblox logo

Motherboard reports that a hacker had bribed a Roblox insider to access the data of over 100 million users.

“I did this only to prove a point to them,” the hacker told Motherboard in an online chat. Motherboard granted the hacker anonymity to speak more candidly about a criminal incident.

Beyond just viewing user data, the hacker was able to reset passwords and change user data too […] The hacker said they changed the password for two accounts and sold their items. One of the screenshots appears to show the successful change of two-factor authentication settings […]

Proving a point my a**. This person tried to claim a bug bounty from Roblox. They denied it because he/she acted “more maliciously than a legitimate security researcher.” He messed with the accounts after denial, so his point was revenge.

Update: A Roblox spokesperson informed me that only a small amount of customers were affected, not 100 million, and immediate action was taken to address the issue. Additionally, it was a Roblox insider and not an employee.

OpenWRT is Vulnerable to Remote Code Execution Attacks

· Andrew Orr · Link

Image of a router

For three years, router firmware OpenWRT has been vulnerable to remote code execution attacks.

The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.

This is especially concerning because OpenWRT is commonly recommend by privacy advocates as an alternative to built-in proprietary router firmware.

Grayshift Increases Price as it Struggles to Hack iPhones

· Andrew Orr · Link

iPhone X with GrayKey password hacker

iOS forensics company Grayshift was forced to raise its prices last year, noting that “Forensic Access to iOS continues to increase in difficulty and complexity.”

“I think it’s going to get harder and harder to find these kinds of unlocking flaws, because Apple does control the entire stack,” Alex Stamos, director of the Stanford Internet Observatory and former Facebook chief security officer, previously told Motherboard. “I think a couple more hardware revisions of understanding the ways that these unlocks are happening and [Apple is] going to make it extremely difficult. Which then will bring this debate back…”

It’s a complex issue. On one hand it’s good news for Apple customers. On the other hand, it makes the government is fight tooth and nail to take away our security.

How Worried Should You Be About Public USB Charging Stations?

· Andrew Orr · Link

DuckDuckGo logo

Today DuckDuckGo published a post about the risks of using public charging stations. Technology exists that lets hackers install malware via these chargers. While I personally think the risk is a bit overblown, this is an argument I think can be added in favor of a portless iPhone.

Although it has become synonymous with charging, USB technology was initially developed with the aim of transmitting data. Thus, hackers can use these public charging stations to install malware on your smartphone or tablet through a compromised USB cable. This process, called “juice jacking”, allows hackers to read and export your data, including your passwords. They can even lock your device this way, rendering it unusable.

Do You Own a Tesla? It’s Vulnerable to Hacking

· Andrew Orr · Link

Security experts found that Teslas are vulnerable to certain kinds of hacks. One expert, Brian DeMuth, said there are no easy ways to prevent it, but you can take some measures.

There are a few things that can reduce the risk if you are willing to accept diminished functionality in the car. For example, the telematics unit can be removed from the vehicle to eliminate attacks over the cellular network, but this also will prevent mobile apps and other remote functionality from working. Removing the telematics unit could also trigger warnings and other errors to appear in the instrument cluster or infotainment system.

Patch Your Netgear Router Because it Could Get Hacked

· Andrew Orr · Link

Image of a router

Netgear is pushing out security patches for its networking products this week. They contain flaws that could open them up to hackers.

Modem/routers:

D6200, D6220, D6400, D7000, D7000v2, D7800, D8500

Range extenders:

PR2000

Routers:

JR6150, R6120, R6220, R6230, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900,  R6900P, R6900v2, R7000, R7000P,  R7100LG, R7300DST, R7500v2, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000, RAX120, RBR20 (Orbi), RBS20 (Orbi), RBK20 (Orbi), RBR40 (Orbi), RBS40 (Orbi), RBK40 (Orbi), RBR50 (Orbi), RBS50 (Orbi), RBK50 (Orbi), XR500, XR700

Someone Hacked J.Crew Last Spring and we Only Find Out Today

· Andrew Orr · Link

Image containing the words “data breach”

According to a notice [PDF] from J.Crew, someone hacked the company last year. For some reason we’re only finding out about it today, a year later.

“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” J.Crew’s data breach notification explains.

You know, sometimes when I write about this stuff, like Facebook doing every bad thing under the sun with our data, I stop and think: “Am I just a cynical a**hole?” Then, when yet another idiot company has a data breach, I realize, no I’m just reporting reality. These companies deserve to be named and shamed.

HackerOne Punished Researchers Who Disclosed PayPal Bugs

· Andrew Orr · Link

HackerOne is a bug bounty platform that connects companies with security researchers. Recently, when researchers used the platform to disclose six PayPal vulnerabilities, they were punished.

When our analysts discovered six vulnerabilities in PayPal…we were met with non-stop delays, unresponsive staff, and lack of appreciation…When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level.

This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks…We’ll assume that HackerOne’s response is representative of PayPal’s response.

SlickWraps Was Hacked, But Hasn’t Done Anything About It

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

SlickWraps makes skins for iPhones and Androids. It was recently hacked, but fortunately by a white hat hacker without malicious intentions. The story behind it is fascinating, especially because the company has blocked him and so far has failed to do anything about it.

To say I went to great lengths to treat SlickWraps equitably would be an understatement. Candidly, after the staggering number of primitive security flaws exhibited by their administrators (e.g. the vulnerability to Dirty COW, an exploit which was patched in 2016), I question whether they deserved the leniency I am about to describe.

Update: Other people are hacking the company too. One of them sent emails to SlickWraps customers, telling them to tweet and email the company, which responded to the incident on Twitter.

Iran Hackers Put Backdoors in VPN Servers

· Andrew Orr · Link

A new report finds that hackers from Iran have been putting backdoors in VPN servers around the world in the “Fox Kitten Campaign.” It sounds like affected companies provide VPN for enterprise, rather than consumers. ZDNet suggests Pulse Secure, Palo Alto Networks, Fortinet, and Citrix.

Though [sic] the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.

Ransomware Hackers Now Want Your Nudes

· Andrew Orr · Link

Security researchers discover a new form of blackmail from ransomware hackers: They demand nudes instead of money.

While most ransomware strains require monetary compensation in return for a decryptor, Ransomwared is demanding a more unusual payment. Once a computer is infected, a pop up will appear and demand that the victim send the author pictures of “tits” in exchange for an “unlock code.”

Maybe this speaks to my cynicism or just the fact that the world is filled with bad people. But I’m honestly surprised I haven’t heard of this type of ransomware extortion sooner. You could just send random porn, they wouldn’t be able to know if they’re actually your nudes. But they might ask you to hold up a sign with the current date as proof that it’s you. However, what if you just searched online for a nude with a sign, then photoshopped the current date on it? Okay, I need to stop. This is why Charlotte worries about me.

Chinese Military Charged With Equifax Data Breach

· Andrew Orr · Link

Chinese flag

Four Chinese military hackers have been charged with breaking into Equifax’s network and stealing the data of tens of millions of Americans.

The accused hackers exploited a software vulnerability to gain access to Equifax’s computers, obtaining log-in credentials that they used to navigate databases and review records. The indictment also details efforts the hackers took to cover their tracks, including wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.

Reminder that Equifax executives did insider trading based on the breach. They are criminals.

Hackers Dump 70,000 Tinder Photos of Women

· Andrew Orr · Link

Tinder logo

Over 70,000 Tinder photos of women have been dumped in an online forum for cybercrime.

Contextual clues, including particular phone models like the iPhone X seen in the photographs, as well as limited metadata, suggest that many of the (mostly) selfies were taken in recent years. Some of the photos, in fact, contain timestamps dated as recent as October 2019.

Tinder also noted that all of the photos are public and can be viewed by others through regular use of the app; although, obviously, the app is not designed to help a single person amass such a massive quantity of images. The app can also only be used to view the profiles of other users within 100 miles.

Emphasis mine.

Texas Sees Surge in Iranian Cyber Attacks

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

Texas officials say they’ve seen an increase in Iranian cyber attacks. Over the past two days as many as “10,000 probes…per minute” came from the country.

Speaking after a meeting of the Texas Domestic Terrorism Task Force, of which she’s a member, Crawford of the state information resources agency said as far as she knows, none of the attempted cyberattacks on state government networks originating in Iran have been successful.

Travelex Infected With Sodinokibi Ransomware, Attacker Wants $3M

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

A cyber attack infected international foreign currency exchange Travelex with Sodinokibi ransomware. The attackers are demanding US$3 million.

The attack occurred on December 31 and affected some Travelex services. This prompted the company to take offline all its computer systems, a precaution meant “to protect data and prevent the spread of the virus.”

We were told that they deleted the backup files and that the ransom demanded was $3 million; if not paid in seven days (countdown likely started on December 31), the attackers said they will publish the data they stole.